This sounds like it could be the problem Andy. Thank you very much for the insights. First thing early tomorrow when I am back at site I will try this and see if I can establish a connection from Python and send a response. -Jim
On Fri, Feb 17, 2017 at 7:52 PM, Andy LoPresto <[email protected]> wrote: > Jim, > > In the curl command, do you use the “-i”/“—insecure” flag? The issue > sounds like one where Python does not trust the NiFi server certificate > presented when it attempts to make the connection. “No Authentication” in > the Client Authentication setting means that NiFi is not enforcing the > presence of a client certificate (one presented by Python), but it is still > presenting one if you configured the StandardSSLContextService with a > keystore. If NiFi is presenting a cert and using TLS, it won’t accept > incoming connections on plain HTTP. You’ll have to tell Python to trust > that specific certificate or the signer [1]. Luckily it looks pretty simple > to provide it the PEM-encoded public certificate directly in the code to > make the request. > > Perhaps this crude drawing will help: > > > [1] http://stackoverflow.com/a/30405947/70465 > [2] http://security.stackexchange.com/a/20847/16485 > > Andy LoPresto > [email protected] > *[email protected] <[email protected]>* > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On Feb 16, 2017, at 11:27 AM, James McMahon <[email protected]> wrote: > > I am unable to get a response from my NiFi server HandleHttpRequest > processor when I issue a POST from Python code on a remote box. I suspect > my configuration of certs is somehow missing a vital piece of the puzzle, > though that seems contrary to my configuration of HandleHttpRequest (No > Authentication in parm Client Authentication). From the calling program > window all we see is a message that we have made an unverified https > request. > My HandleHttpRequest processor is configured with No Authentication in > parm Client Authentication. I assumed that this meant no client cert is > required for a posting program to post, but now I suspect that I am wrong > about that. > I do include in the config for this processor an SSL Context Service, > StandarSSLContextService. The service is Enabled. The service configuration > references my keystore and truststore. > Currently we are executing the python program as user root on the remote > server. We are not including any cert reference in our POST call. > What is lacking in my configuration? > We are able to get a response back from the NiFi server when we issue the > POST via a curl command. Thanks in advance for your help. -Jim > > >
